It appears to be the first time an exploit kit has included PoS in its list of hackable platforms, putting them alongside the likes of Adobe Flash, Reader, Java, and Internet Explorer as targets crims think are low-hanging fruit.

Melgarejo says Angler often establishes a network beachhead with a malvertising campaign targeting web PoS terminals and vendors including Verifone.

"[The] PoS reconnaissance trojan (Troj_Recoload.a) checks for multiple conditions in the infected system such as if it is a PoS machine or part of a PoS network," Melgarejo says.

"It then proceeds to download specific malware depending on the conditions met.

Melgarejo says Angler uses some anti-analysis tricks to shut down in the presence of white hats including looking for running instances of Wireshark, virtualisation, sandboxing, and known malware probe tool usernames. ®